Vulnerability assessments identify exploitable weaknesses and suggest ways to eliminate or mini­mize them. Criticality assessments are "designed to systematically identify and evaluate an organiza­tion's assets based on the importance of its mission or function, the group of people at risk, or the sig­nificance of a structure."[4] These three assessments can then be assembled into a bird's-eye view of the situation. Using these reviews, an organization can create a comprehensive risk management strategy to guide decision-making and resource allocation.

There are two categories of risk: risks with think­able consequences and those with unthinkable ones. Thinkable risks have few secondary effects and are geographically and temporally bound. For such risks, the goal is to minimize the single points of failure, cascading effects, and uncertainty by focusing on rapid reconstitution and recovery and by building security awareness.Unthinkable risks involve very large loss of life, great damage, and effects spread over time and space, such as a nuclear attack. For unthinkable risks, the entities involved need to focus on countermeasures, recov­ery, and attribution.

Efforts should be apportioned between think­able and unthinkable scenarios. Thinkable situa­tions need to be made less terrifying while unthinkable ones are made less likely.

A functional risk management system needs four components.

• First, any system needs to be able to analyze several interdependencies. The post-Cold War world is complex, and there are many impor­tant variables.
• Second, effective information sharing depends on a high degree of trust between data owners and those who want to analyze information.
• Third, effective assessments require collecting and inputting as much of the relevant, know­able data as possible. Risk management deals in possibilities and probabilities. The analysis can only be as good as the available information.
• Finally, the nation needs to realize that no sys­tem is perfect, but that any reasonable attempt to allocate resources should improve the prob­ability of preventing an attack.

Even if information-sharing problems are elimi­nated, the federal government still needs to deter­mine where to focus its efforts. The federal government should target resources toward the critical infrastructure in which it has a vested inter­est. The current list of critical infrastructure is too expansive, including sectors that are not truly vital to the federal government's functioning. The fed­eral government has a vested interest in only the energy, finance, telecommunications, and transpor­tation sectors.

Once the DHS compiles a limited list of vital crit­ical infrastructure, the responsibility for protecting that infrastructure should be divided according to vulnerabilities and threats. The private sector should work to achieve reasonable reductions in the vulnerabilities (weaknesses) in its infrastruc­ture; the federal government should address out­side threats to the infrastructure.

The federal government-not the private sec­tor-is responsible for preventing terrorist acts through intelligence gathering, early warning, and domestic counterterrorism. The private sector is responsible for taking reasonable precautions, much as it is expected to take reasonable safety and envi­ronmental precautions. The federal government also has a role in defining what is "reasonable" as a per­formance-based metric and facilitating information sharing to enable the private sector to perform due diligence (e.g., protection, mitigation, and recovery) in an efficient, fair, and effective manner.

A model public-private regime would (1) define what is reasonable through clear performance mea­sures, (2) create transparency and develop means to measure performance, (3) establish ways for the market to reward good behavior, and (4) ensure that any "fix" does not cripple the economic engine that supports the society and liberties Americans enjoy.

The right national critical infrastructure plan would combine reasonable efforts by the private sector to protect its facilities with government counterterrorism efforts to provide a layered defense.

The National Critical Infrastructure Plan

On paper, the approach to protecting critical infrastructure has been correct. Both the National Strategy for Homeland Security and the National Strategy for the Physical Protection of Critical Infra­structures and Key Assets recommend a risk-based approach with responsibilities shared between the federal government and the private sector:

Effective and efficient risk assessment, protection planning, and resource allocation go hand in hand.… Because of…resource limitations, federal, state, and local authorities must collaborate more efficiently to assess, plan, and allocate their limited resources.[5]

1. "[C]arry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States";
2. "[I]ntegrate relevant information, analyses, and vulnerability assessments" to "identify priorities for protective and support measures by the Department, other agencies of the Federal Gov­ernment, State and local government agencies and authorities, the private sector, and other entities";
3. "[D]evelop a comprehensive national plan for securing key resources and critical infrastruc­ture of the United States"; and
4. "[R]ecommend measures necessary to protect the key resources and critical infrastructure" in coop­eration with other federal agencies, state govern­ments, the private sector, and other entities.[6]

The DHS also needs a high-level policy officer in the form of an Undersecretary for Policy to articu­late and coordinate policy guidance throughout the department. This individual should report to the deputy secretary. The undersecretary's responsibili­ties should be established by law and should include "coordinating DHS policy," "conducting long-range policy planning," "preparing critical strategic documents," "conducting program analy­sis," and "preparing net assessments."[10] A unified policy office would be the appropriate place to cre­ate risk management policies, examine how to bal­ance responses between thinkable risks and unthinkable risks, and sort through information-sharing policy problems.

Engaging the Private Sector. To creating a risk-based system that incorporates private-sector enti­ties, Congress and the Administration should:

• Strengthen PCII protections. The DHS set up the Protected Critical Infrastructure Informa­tion (PCII) Program to encourage the private sector to share sensitive and proprietary busi­ness information about critical infrastructure with the federal government. Members of the private sector can voluntarily submit sensitive information to the DHS with the understanding that the DHS will protect the information from public disclosure, assuming that all the require­ments of the Critical Infrastructure Information Act of 2002 have been met. The PCII regula­tions are very strict, requiring a specific request to consider whether information meets the cri­teria to be labeled as PCII as well as data to jus­tify such a decision.

While the program is a good start, it is not yet clear how widely the federal government will disseminate the information. The program is currently set up to distribute PCII within the DHS, but there are plans to disseminate such information as necessary to authorized individ­uals in federal, state, and local governments and in the private sector. The DHS plans to require agencies, governments, and other enti­ties to meet accreditation requirements (e.g., training staff on proper handling of PCII and obtaining nondisclosure agreements from staff) before receiving PCII. States must also sign memoranda of understanding with the pro­gram manager before they receive PCII.

These measures seem appropriate, but the proof will be in the actual implementation. The guidelines and regulations will need to balance protecting sensitive information with promot­ing information sharing.

In addition to fears about public disclosure, the private sector is concerned that the govern­ment will use voluntarily submitted informa­tion to impose intrusive regulation and that private lawyers could obtain this information through the discovery process and then use it in litigation against the private sector. To encourage private industry to submit informa­tion to the PCII program, Congress should clarify to whom and under what conditions the information may be disseminated or used in private litigation.

• Clarify the Sarbanes-Oxley Act's application to homeland security. In an attempt to improve corporate governance, the Sarbanes-Oxley Act of 2002[11] mandates that public com­panies take certain actions. For instance, it requires that chief executive officers certify that they have reviewed the financial practices of their companies and understand risks that may affect the financial reporting process.

While improved corporate governance sounds good, especially after Enron and other scandals, how the act would apply to homeland security issues is unclear. What would happen under the law if a terrorist attack on a piece of critical infrastructure caused the value of a corpora­tion's stock to plummet? Could a stockholder sue the company for having an inadequate risk management strategy and failing to disclose its vulnerabilities?[12]

There are at least three ways to address this problem: (1) The Securities and Exchange Commission could clarify how it intends to apply the legislation; (2) Congress could repeal the Sarbanes-Oxley Act; or (3) Congress could carve out a "safe haven" in the law for certain situations (e.g., terrorist attack). SEC guidance would at least alert companies to what the expectations are. Repealing the law, which has other problems, could alleviate burdensome reporting requirements while removing worries about its application to homeland security.

• Minimize liability risks. If CI owners and operators alert the federal government to vul­nerabilities and then terrorists exploit one of these weaknesses, there is concern that such disclosures could be used against owners and operators in lawsuits. Furthermore, owners and operators face liability issues with regard to their piece of infrastructure being turned into a weapon and any resulting death and destruction.

To counter these concerns, a good first step would be to create safe harbors for certain sec­tors. Congress should create a list of actions that are deemed to be reasonable precautions. There are parallels in other areas that share sim­ilar public policy concerns. Tort reform could also help to reassure the private sector about these liability issues.

The Support Anti-Terrorism by Fostering Effec­tive Technologies (SAFETY) Act of 2002 is one tort reform measure that is already in existence. However, it has been underutilized by the DHS, and many in industry consider it complex and confusing. The legislation limits liability for tort claims that arise out of, relate to, or result from a terrorist act in which a qualified anti-terror­ism technology has been deployed. The act does not limit liability if a terrorist act has not occurred. The SAFETY Act applies to all forms of technology (e.g., products, software, ser­vices, and various forms of intellectual prop­erty). The Administration and Congress should clarify the SAFETY Act as necessary and push for its use where appropriate.

• Develop the business case for homeland security. The DHS frequently argues that it needs access to information from the private sector and that it is putting forth rules to pre­vent another terrorist attack. While that may be true, the DHS needs to present sound economic and business reasons for the private sector to assist in protecting the nation.

To bolster this effort, and because current esti­mates vary significantly, the DHS should com­mission a rigorous study of the economic consequences of different types of terrorist attacks. Such a study could help to demon­strate the business case for improving security measures. The DHS and the private sector also need to cooperate on rulemaking; otherwise, the DHS is likely to create rules that bear little relation to reality, hindering economic growth and failing to improve the nation's security.

• Harmonize U.S. laws with the laws of other countries. U.S. laws need to be harmonized with the laws of other countries and with inter­national law to improve the government's abil­ity to exchange information and prosecute criminals and terrorists. For instance, cyber attacks against U.S. critical infrastructure can originate from anywhere. It is important that other countries have appropriate laws and agreements in place to allow prosecution of cyber crime.

Other countries' laws also need to mesh with U.S. law so that terrorists and other criminals cannot slip through any legal gaps. In some cases, the Administration will need to conclude agreements with nations that have significantly different laws. For instance, the United States and the European Union negotiated an agree­ment to share international airline passenger data when privacy laws conflicted. Just as the EU and the United States negotiated ways to share information, the United States should work to reconcile its laws and policies with those of other nations and the international community.

• Promote the effective sharing of informa­tion. Actionable information is central to any counterterrorism effort, and a variety of infor­mation-sharing programs already exist. The Homeland Security Operations Center runs two information-sharing networks: the Home­land Security Information Network (HSIN), which is an Internet-based counterterrorism communications tool, and the Homeland Secu­rity Information Network-Critical Infrastruc­ture, which provides real-time information to CI owners and operators.[13] Now that the DHS has established these networks, the right peo­ple need to use them to exchange information.

Moreover, these tools need to be integrated with private-sector information-sharing mech­anisms because the private sector also shares and analyzes information without government involvement. The DHS has started to address these needs through the HSIN and by encour­aging private-sector formation of Sector Coor­dinating Councils. Whether this effort succeeds will depend in part on whether the federal gov­ernment and CI owners and operators can divide responsibilities for vital CI according to threats and vulnerabilities. The more the DHS acts as a coordinating agency and focuses on outside threats to important critical infrastruc­ture, the greater the likelihood that the private sector will participate.

One congressional attempt to promote infor­mation sharing is the Intelligence Reform and Terrorism Protection Act of 2004,[14] commonly known as the 9/11 Reform Bill, which requires the President to establish an "information shar­ing environment" (ISE) to distribute intelli­gence regarding terrorism to appropriate federal, state, local, and private entities. It requires the President to designate an organiza­tional and management structure to establish and maintain the ISE and report back to Con­gress within one year on the plans for imple­mentation. It also creates an Information Sharing Council to advise the President and the ISE program manager on developing policies, procedures, guidelines, roles, and standards for establishing and maintaining the ISE.

Over the long term, the ISE could provide crit­ical capabilities for enhancing the role of state and local agencies in counterterrorism opera­tions. To ensure that they can appropriately access and contribute to the ISE, state and local representatives should be given key positions on the Information Sharing Council so that their needs and potential contributions can be adequately addressed.

Conclusion

The federal government is responsible for pre­venting terrorist attacks through intelligence gather­ing, early warning, and domestic counterterrorism. The CI private sector is responsible for taking rea­sonable precautions to reduce its vulnerabilities, thereby limiting the ability of terrorists to exploit these weaknesses.

The federal government needs both to define clearly what it believes are reasonable actions for the private sector and to address liability issues. Congress and the Administration need to further consolidate and coordinate the DHS, remove impediments to private-sector involvement, and facilitate effective information sharing among pub­lic and private entities. Neither the federal govern­ment nor private CI owners and operators can fully protect critical infrastructure against terrorist attacks-they must work together to be successful.

Alane Kochems is a Research Assistant in the Kathryn and Shelby Cullom Davis Institute for Inter­national Studies at The Heritage Foundation.